From 1123942fce9590bfa1a0f21f078020e342ec1223 Mon Sep 17 00:00:00 2001
From: Robert Speicher <robert@gitlab.com>
Date: Wed, 27 Sep 2017 20:15:39 +0000
Subject: Merge branch 'fix-arbitrary-redirect-vulnerability' into
 'security-10-0'

Fix arbitrary redirect location vulnerability

See merge request gitlab/gitlabhq!2192
---
 app/controllers/projects/application_controller.rb             | 10 ----------
 app/controllers/projects_controller.rb                         | 10 ++++++++++
 changelogs/unreleased/fix-arbitrary-redirect-vulnerability.yml |  5 +++++
 3 files changed, 15 insertions(+), 10 deletions(-)
 create mode 100644 changelogs/unreleased/fix-arbitrary-redirect-vulnerability.yml

diff --git a/app/controllers/projects/application_controller.rb b/app/controllers/projects/application_controller.rb
index d7dd8ddcb7d..9e79852e378 100644
--- a/app/controllers/projects/application_controller.rb
+++ b/app/controllers/projects/application_controller.rb
@@ -2,7 +2,6 @@ class Projects::ApplicationController < ApplicationController
   include RoutableActions
 
   skip_before_action :authenticate_user!
-  before_action :redirect_git_extension
   before_action :project
   before_action :repository
   layout 'project'
@@ -11,15 +10,6 @@ class Projects::ApplicationController < ApplicationController
 
   private
 
-  def redirect_git_extension
-    # Redirect from
-    #   localhost/group/project.git
-    # to
-    #   localhost/group/project
-    #
-    redirect_to url_for(params.merge(format: nil)) if params[:format] == 'git'
-  end
-
   def project
     return @project if @project
     return nil unless params[:project_id] || params[:id]
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index b13034d3333..0794fea2c2b 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -3,6 +3,7 @@ class ProjectsController < Projects::ApplicationController
   include ExtractsPath
 
   before_action :authenticate_user!, except: [:index, :show, :activity, :refs]
+  before_action :redirect_git_extension, only: [:show]
   before_action :project, except: [:index, :new, :create]
   before_action :repository, except: [:index, :new, :create]
   before_action :assign_ref_vars, only: [:show], if: :repo_exists?
@@ -399,4 +400,13 @@ class ProjectsController < Projects::ApplicationController
   def project_export_enabled
     render_404 unless current_application_settings.project_export_enabled?
   end
+
+  def redirect_git_extension
+    # Redirect from
+    #   localhost/group/project.git
+    # to
+    #   localhost/group/project
+    #
+    redirect_to request.original_url.sub(/\.git\/?\Z/, '') if params[:format] == 'git'
+  end
 end
diff --git a/changelogs/unreleased/fix-arbitrary-redirect-vulnerability.yml b/changelogs/unreleased/fix-arbitrary-redirect-vulnerability.yml
new file mode 100644
index 00000000000..8d456b57963
--- /dev/null
+++ b/changelogs/unreleased/fix-arbitrary-redirect-vulnerability.yml
@@ -0,0 +1,5 @@
+---
+title: Prevent an open redirect on project pages
+merge_request:
+author:
+type: security
-- 
cgit v1.2.3